The Sofacy hacking group (also known as APT28, Sednit, and Fancy Bear) has developed a new trojan called ‘Komplex’ to help it target OS X users.

A Komplex infection begins with a binder component that saves a decoy document to the target system.

As Palo Alto Networks explains in a blog post, it encountered a sample of the malware where the PDF document spelled out the history of the Russian Federal Space Program’s projects between 2016 and 2025.

This might mean that Komplex is being used to target OS X users specifically in the aerospace industry.

At the same time, the binder component saves another executable. That’s the Komplex dropper, which is responsible for making sure a third executable achieves persistence so that it can execute every time OS X boots up.

All that remains then is the Komplex payload, which forestalls revealing its main functionality until it conducts two checks: one to see if it’s being debugged, and one to see if it can successfully connect to Google.com via the web.

The Komplex trojan’s debugging check (Source: Palo Alto Networks)

As long as those tests Komplex can access the internet safely, the payload executes its main functionality.

“The Komplex payload uses an 11-byte XOR algorithm to decrypt strings used for configuration and within C2 communications, including the C2 domains themselves. Figure 8 shows a screenshot of Komplex’s custom string decryption algorithm, along with the XOR key used to decrypt strings within the payload.”

From there, the malware collects information about the infected machine, including username and system version, and sends it to its command-and-control server.

Beacon sent from Komplex to C2 containing system information within the HTTP POST data (Source: Palo Alto Networks)

That server responds back with a series of commands that enables Komplex to download additional files as well as execute or delete existing files.

As you might have guessed, this is not Sofacy’s first foray into computer crime and espionage.

David Bisson Follow @DMBissonDavid Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.